Jan 21, 2010

Security in SharePoint Client Object Model

Available authentication types for managed .net client OM include:
  • Anonymous
    web applications need to be anonymous and Client OM permission requirement need to be unchecked as well:

    Even so, some operation like list.getitems(query) are blocked for undocumented reasons.
  • Default (Window Authentication)
  • By default, both .Net Client OM and Silverlight Client OM use window authentication, and credentials are passed through, i.e, sharepoint will authenticate the user who is running client applications.
      For web client application, when debugging in VStudio (F5), it is account running VStudio that will be passed, but for IIS sites, it is either App Pool ID (by default, no impersonation) or user login in account( when impersonation enabled) or anonymous accout (when anonymous enabled)
    • FormsAuthentication

    Addition security restriction:

    • ECMAScript Client OM can only access SharePoint data for current site, no cross site scripting allowed (no place in ECMA OM you can pass credential ). That means ECMAScript Client OM can only be used in SharePoint context, such as application page, web part, and dialogue.
    • Silverlight Client OM can only access resource from the same domain unless explicitly defining clientaccsspolicy.xml.